55-year-old Davis Lu received four years in prison for sabotaging his former employer’s Windows network. Lu carried out his revenge using custom malware and a special “kill switch” that locked out all employees after his account was disabled.
As the U.S. Department of Justice reports, Lu, a Chinese national lawfully residing in Houston, worked at Ohio-based Eaton Corporation from 2007 until his termination in 2019. After a corporate reorganization and subsequent demotion in 2018, Lu realized that his termination was inevitable and decided to take revenge on his employer by implanting malicious code into the Windows environment of the manufacturing systems.
The malicious code used “infinite loops” that overloaded servers, deleted coworkers’ profile files, blocked legitimate logins, and caused system outages. In addition, Lu created a software “kill switch” called IsDLEnabledinAD (Is Davis Lu enabled in Active Directory, “Is Davis Lu active in Active Directory”), which automatically blocked all users if the developer’s account was disabled in Active Directory.
On September 9, 2019, Lu was finally fired, after which his account was disabled. This triggered the “kill switch,” which locked out thousands of the company’s employees around the world.
“The defendant betrayed his employer’s trust by using his access and technical expertise to sabotage corporate networks, creating chaos and causing the company losses amounting to hundreds of thousands of dollars,” the Prosecutor General’s Office commented.
When Lu was asked to return the corporate laptop, he allegedly deleted encrypted data from the device. However, investigators later found search queries on the device indicating that Lu had been researching privilege escalation, process hiding, and ways to quickly delete files.
In March of this year, Lu was found guilty of intentionally causing damage to protected computers. The prosecution emphasized that, in addition to sabotaging his former employer’s network, Lu attempted to cover his tracks, hoping his technical knowledge would help him avoid punishment.
Lu has now been sentenced to four years in prison, and after serving his term the former developer will be required to remain under government supervision for another three years.
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →